Tag Archive: WDATP

This post continue to explore the hunting capatibilities in Defender ATP by query for Exploit Guard detections.

So what’s this Exploit Guard?

Windows Defender Exploit Guard is a new set of intrusion prevention capabilities which are built-in with Windows 10, 1709 and newer versions.

Exploit Guard consists of 4 components which are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements

Component

Details

Attack Surface Reduction (ASR)

A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats

Network Protection

Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen

Exploit Guard is configured through MDM (Intune) or SCCM or GPO’s or PowerShell.

If you have Microsoft 365 E5 license or Threat Protection license package, you don’t have to use Windows Event Forward to get the events in a central log solution. They will automatically be forwarded to your Microsoft 365 security portal https://security.microsoft.com where you have a nice looking dashboard where you can see alerts and configurations of ASR and other things.

This following dashboard is a part from the Monitor and Report section in the portal

Back to Defender ATP and the hunting which this post was supposed to be all about.

We have published some posts now about hunting custom alerts.

In the query console in Defender ATP we started to go backwards to find the ASR events. It’s simple. configure your client, run a few attacks which will trigger the alerts.

We looked in the MiscEvents for all events (filtered on computername and time). Which gaves us ideas of ActionTypes to use in the query.

Examples from the output:

AsrOfficeMacroWin32ApiCallsAudited

AsrPsexecWmiChildProcessBlocked

ControlledFolderAccessViolationBlocked

ExploitGuardAcgAudited

ExploitGuardChildProcessAudited

ExploitGuardNetworkProtectionBlocked

ExploitGuardNonMicrosoftSignedAudited

ExploitGuardWin32SystemCallBlocked

SmartScreenAppWarning

SmartScreenUrlWarning

SmartScreenUserOverride

Interesting note “SmartScreenUserOverride” is a separate event which you can query

When we had the raw Actiontypes we created the query to cover as much as we could.

We are also parsing AdditionalFields to be able to add extra value to events which contained such data.

From this point we can do additional filters. For example, if you want to enable ASR enterprise wide, set them in auditmode and report on the alerts without affect user productivity, remediate and the do a enterprise wide block enrollment

It will be good if you add some details in the recommended actions if someone else will take action on the alert, or at least add a pointer to where they can find further information on requred actions. (Information sharing is important).

It’s possible to change this infomation later on.

On the Detection Rule page you can see the alerts and other information regards the detection rule.

All the rules will be listed at the left side in the hunting section.

For further infomation about the new preview features please go to this url:

If you need permission to do X you should only have access to do X and not several other things.

That’s why you should define the roles and reponsibilities in your organization to make sure you can apply a least privilege strategy.

Many products supports RBAC and should be used.

Working with Roles in Windows Defender ATP is very simple. You can enable it in Settings menu.

Settings > Roles > Enable Roles

The Global administrator role is added by default and have full permissions which can’t be changed.

Creating Roles

It’s not a bad idea to create a few roles, even if it’s just ju who are the complete security team. One reason is organizational changes and one important reason is that we don’t want people to work as global administrators.

A while ago Microsoft released the Threat Hunting capatibilities in WD ATP.

This is a great feature since you’re able to query a lot of things across your devices.

Example scenario:

Let’s say you receive IoC’s for an ongoing attack or investigate threat actors with known files or IP’s you can Query these IoC’s on both on-prem devices and devices which only exists on the internet and never in the office.

That’s one of the benefits of using cloud security services.

As we wrote in the last post it’s now possible to onboard older operating systems like Windows 7 and Windows 8.1. There is also possible to onboard Linux systems and Macs

Threat Hunting

The hunting capatibilities in WD ATP involves running queries and you’re able to query almost everything which can happen in the Operating System.

If you’re familiar with Sysinternals Sysmon your will recognize the a lot of the data which you can query.

The query language is very similar to Splunk and adoption to these queries should be straight forward
ProcessCreationEvents
| where EventTime > ago(30d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine has "Invoke-Mimikatz"
or ProcessCommandLine has "http:"
| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by EventTime

Use “Project” to select which columns you want in the output and you can export the result to a spreadsheet.

In the above example we ran a query to find malicious powershell commands being executed.

You can also, for example, query all powershell executions from Office applications
ProcessCreationEvents
| where EventTime > ago(14d)
| where ProcessCommandLine has "powershell"
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpoint.exe")

You can also use the quick search to finns URL’s, File hashes, IPs

The output will show you hits in organization and prevalance world wide which will give you more indication of a threat.

When we search for a filehash we can also submit the file for deeper analysis.

Today Microsoft announced that it’s now possible to onboard older legacy operatingsystems to ATP (Advanced Threat Protection) when the public preview that is available.

Windows 7 SP1 Enterprise

Windows 7 SP1 Pro

Windows 8.1 Pro

Windows 8.1 Enterprise

Even though we Always recommend using the latest versions there might be scenarios where you need the advanced detection and response capatibilities and of ATP and it’s not possible to upgrade the machines.

The difference between Windows 10 and the older versions is that is not built-in and you have to install an Microsoft Monitoring agent which will connect to your workspace and report the sensor data.

We often talk about risks only in term.s of potential loss, but most risks have the potential for gain too. To manage cybersecurity as a business risk, we need to better understand the opportunities and risks of key business drivers The post Managing cybersecurity like a business risk: Part 1—Modeling opportunities and threats appeared first […]

Microsoft identity engineering has expanded product partnerships to help customers transform digitally with Azure AD-integrated solutions. The post 4 identity partnerships to help drive better security appeared first on Microsoft Security.

As secure remote work becomes the new normal, Microsoft security and Zscaler provide guidance on enabling Zero Trust starting with secure access. The post Zero Trust and its role in securing the new normal appeared first on Microsoft Security.

5 questions that will help you select open source software and 4 recommendations to smooth the internal approval process. Advice from the RSA 2020 panel discussion, Open Source: Promise, Perils and the Path Ahead. The post Build support for open source in your organization appeared first on Microsoft Security.

Your network is unique. It’s a living, breathing system evolving over time. The applications and users performing these actions are all unique parts of the system, adding degrees of disorder and entropy to your operating environment. The post Success in security: reining in entropy appeared first on Microsoft Security.

If an internet-connected device performs a non-critical function, why does it need to be highly secured? Because any device can be the target of a hacker, and any hacked device can be weaponized. The post Cybersecurity best practices to implement highly secured devices appeared first on Microsoft Security.

As part of this week’s Build virtual event, we’re introducing new Identity innovation to help foster a secure and trustworthy app ecosystem, as well as announcing a number of new capabilities in Azure to help secure customers. The post Microsoft Build brings new innovations and capabilities to keep developers and customers secure appeared first on […]

Cybersecurity provides the underpinning to operationally resiliency as more organizations adapt to enabling secure remote work options, whether in the short or long term. The post Operational resilience in a remote work world appeared first on Microsoft Security.

While the world faces the common threat of COVID-19, defenders are working overtime to protect users all over the globe from cyber-criminals using COVID-19 as a lure to mount attacks. The post Open-sourcing new COVID-19 threat intelligence appeared first on Microsoft Security.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.AcceptRead More